Sony CEO's Rootkit Mea Culpa -- Sort Of

June 7, 2006

Sony CEO's Rootkit Mea Culpa -- Sort Of

Yesterday, the Wall Street Journal published a transcript of an interview with Sir Howard Stringer, CEO of Sony Corporation, about Sony’s strengths and weaknesses in the consumer electronics market. WSJ technology critic Walter Mossberg, who conducted the interview onstage at the journal’s “D: All Things Digital” conference in Carlsbad, CA, needled Stringer about a range of issues, including the decision last year by Sony BMG – Sony’s joint venture with the giant European record label BMG – to protect music CDs against piracy using copy-protection software called XCP. As consumers learned last autumn, the software cloaked itself using a hacker-underground tool called a “rootkit” that exposed millions of customers’ computers to hackers and viruses (see my feature story “Inside the Spyware Scandal,” March/April 2006).

Stringer was remarkably candid with Mossberg about other matters, such as Sony’s lack of sophistication when it comes to the software included with products like the digital Walkman, intended as an iPod competitor. But when Mossberg asked about the rootkit fiasco, Stringer turned defensive.

Mossberg: …When is your next copy-protected CD coming out that will install, you know, malicious software? How did that happen?

Stringer: Actually, it didn’t go so far. Computers did not crash. Big Ben did not stop. I’m not trying to blame somebody else, but this was an attempt to do the right thing at a low level. The senior management of BMG or Sony did not know this was going on. We responded very quickly and put out patches. … We didn’t say to ourselves, as a company, we’re going to screw every computer in town. We made a mistake and Sony paid a terrible price.

It’s interesting, and long overdue, to see Sony’s CEO admitting that the company made a mistake. But in other respects, Stringer’s answer is typical of the company’s hamfisted response to the rootkit problem ever since the scandal broke last fall. For Stringer to say that “computers did not crash,” for example, may be technically true, but it shows a remarkable lack of understanding of the rootkit’s real impact. Anyone who found the rootkit on their computers and attempted to remove XCP on their own quickly found that their CD drives had become inoperable. For many users, repairing the problem meant reinstalling their entire operating system.

Now, a mea culpa of my own: The glaringly obvious weakness in my feature on the rootkit fiasco was that I did not, in the end, have enough information to say reliably who at Sony knew what about XCP and when. Sony BMG stonewalled my direct requests for comments, and I failed to dig up other sources who might have given me the inside scoop. Instead, my story was largely a retelling of outsiders’ discovery of the rootkit and how consumers reacted to the news. The story filled a need, I hope: no one else had brought all the details and characters together into a single readable account. But I wasn’t able to finger the responsible party.

In his interview with Mossberg, Stringer places responsibility for the copy-protection decision on “low-level” people at Sony BMG who were attempting to “do the right thing.” (By “the right thing,” one can only assume that Stringer means “making sure consumers can’t make too many copies of our music”.) He says senior managers had no clue about XCP, which was licensed from a U.K. software company called First 4 Internet.

That part is easy to believe. I had assumed as much. As computer security guru Bruce Schneier put it in an interview with me, “The question ‘What is going on with XCP?’ – I can’t imagine anyone at the executive level [at Sony] using those words.” Executives should have been asking questions, but given Sony’s blind spot for software, it’s not surprising that they didn’t.

The actual idea of using a rootkit-like technique to prevent PC owners from finding or tampering with XCP once it had been installed must have originated with First 4 Internet (whose executives also declined to be interviewed for my article). That decision was a poor one; as my article explains, it made it possible for any hacker who learned about the XCP rootkit to hide his own malware under the same cloak.

But First 4 Internet was, in the end, merely a supplier. Someone at Sony BMG licensed the software and decided to distribute it on millions of music CDs manufactured in early 2005. As Stringer told Mossberg in another part of the WSJ interview, Sony has “a lot of brilliant software engineers, but they create embedded software. We have had a great problem with application software.” If Sony itself has a software deficit, then it’s logical to assume that its music division is even farther behind the curve. My guess is that no one at Sony BMG understood digital rights management software well enough to put XCP through a basic code review or quality-assurance process. But exactly who let the rootkit slip through, we may never know.

The “terrible price” Sony paid for this error was not really a financial one. In a class-action settlement agreement approved by the courts last month, the company promised to pay $7.50 per disc to anyone who purchased a CD containing XCP – damages that would add up to no more than $20 million even if consumers were to put in compensation claims for every single XCP-protected disc ever sold.

The real price was the blow to Sony’s credibility and to its image as a company trying to enhance people’s lives with better gadgets, music, and movies. Stringer’s remarks don’t go very far toward repairing that problem.